US20230356714A1 - Processing method, processing system, and processing device - Google Patents

Processing method, processing system, and processing device Download PDF

Info

Publication number
US20230356714A1
US20230356714A1 US18/353,778 US202318353778A US2023356714A1 US 20230356714 A1 US20230356714 A1 US 20230356714A1 US 202318353778 A US202318353778 A US 202318353778A US 2023356714 A1 US2023356714 A1 US 2023356714A1
Authority
US
United States
Prior art keywords
moving object
abnormality
constraint
restriction
host vehicle
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US18/353,778
Other languages
English (en)
Inventor
Atsushi Baba
Tetsuya Tohdo
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Denso Corp
Original Assignee
Denso Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Denso Corp filed Critical Denso Corp
Assigned to DENSO CORPORATION reassignment DENSO CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: Tohdo, Tetsuya, BABA, ATSUSHI
Publication of US20230356714A1 publication Critical patent/US20230356714A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0016Planning or execution of driving tasks specially adapted for safety of the vehicle or its occupants
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W30/00Purposes of road vehicle drive control systems not related to the control of a particular sub-unit, e.g. of systems using conjoint control of vehicle sub-units
    • B60W30/08Active safety systems predicting or avoiding probable or impending collision or attempting to minimise its consequences
    • B60W30/09Taking automatic action to avoid collision, e.g. braking and steering
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W40/00Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models
    • B60W40/02Estimation or calculation of non-directly measurable driving parameters for road vehicle drive control systems not related to the control of a particular sub unit, e.g. by using mathematical models related to ambient conditions
    • B60W40/04Traffic conditions
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/001Planning or execution of driving tasks
    • B60W60/0015Planning or execution of driving tasks specially adapted for safety
    • B60W60/0018Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions
    • B60W60/00186Planning or execution of driving tasks specially adapted for safety by employing degraded modes, e.g. reducing speed, in response to suboptimal conditions related to the vehicle
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W60/00Drive control systems specially adapted for autonomous road vehicles
    • B60W60/005Handover processes
    • B60W60/0059Estimation of the risk associated with autonomous or manual driving, e.g. situation too complex, sensor failure or driver incapacity
    • GPHYSICS
    • G08SIGNALLING
    • G08GTRAFFIC CONTROL SYSTEMS
    • G08G1/00Traffic control systems for road vehicles
    • G08G1/16Anti-collision systems
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/021Means for detecting failure or malfunction
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W50/00Details of control systems for road vehicle drive control not related to the control of a particular sub-unit, e.g. process diagnostic or vehicle driver interfaces
    • B60W50/02Ensuring safety in case of control system failures, e.g. by diagnosing, circumventing or fixing failures
    • B60W50/0205Diagnosing or detecting failures; Failure detection models
    • B60W2050/0215Sensor drifts or sensor failures
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2420/00Indexing codes relating to the type of sensors based on the principle of their operation
    • B60W2420/40Photo, light or radio wave sensitive means, e.g. infrared sensors
    • B60W2420/403Image sensing, e.g. optical camera
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2420/00Indexing codes relating to the type of sensors based on the principle of their operation
    • B60W2420/40Photo, light or radio wave sensitive means, e.g. infrared sensors
    • B60W2420/408Radar; Laser, e.g. lidar
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2520/00Input parameters relating to overall vehicle dynamics
    • B60W2520/10Longitudinal speed
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2520/00Input parameters relating to overall vehicle dynamics
    • B60W2520/12Lateral speed
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2552/00Input parameters relating to infrastructure
    • B60W2552/10Number of lanes
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2552/00Input parameters relating to infrastructure
    • B60W2552/53Road markings, e.g. lane marker or crosswalk
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2554/00Input parameters relating to objects
    • B60W2554/40Dynamic objects, e.g. animals, windblown objects
    • B60W2554/402Type
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2554/00Input parameters relating to objects
    • B60W2554/40Dynamic objects, e.g. animals, windblown objects
    • B60W2554/404Characteristics
    • B60W2554/4041Position
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2554/00Input parameters relating to objects
    • B60W2554/80Spatial relation or speed relative to objects
    • B60W2554/801Lateral distance
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2554/00Input parameters relating to objects
    • B60W2554/80Spatial relation or speed relative to objects
    • B60W2554/802Longitudinal distance
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2555/00Input parameters relating to exterior conditions, not covered by groups B60W2552/00, B60W2554/00
    • B60W2555/60Traffic rules, e.g. speed limits or right of way
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2556/00Input parameters relating to data
    • B60W2556/40High definition maps
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2556/00Input parameters relating to data
    • B60W2556/45External transmission of data to or from the vehicle
    • B60W2556/50External transmission of data to or from the vehicle of positioning data, e.g. GPS [Global Positioning System] data
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2720/00Output or target parameters relating to overall vehicle dynamics
    • B60W2720/10Longitudinal speed
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2720/00Output or target parameters relating to overall vehicle dynamics
    • B60W2720/14Yaw
    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60WCONJOINT CONTROL OF VEHICLE SUB-UNITS OF DIFFERENT TYPE OR DIFFERENT FUNCTION; CONTROL SYSTEMS SPECIALLY ADAPTED FOR HYBRID VEHICLES; ROAD VEHICLE DRIVE CONTROL SYSTEMS FOR PURPOSES NOT RELATED TO THE CONTROL OF A PARTICULAR SUB-UNIT
    • B60W2720/00Output or target parameters relating to overall vehicle dynamics
    • B60W2720/24Direction of travel

Definitions

  • the present disclosure relates to a processing technique for performing processing related to driving control of host moving object.
  • driving control related to a navigation operation of a host vehicle is planned in accordance with detection information related to an internal and external environment of the host vehicle.
  • the present disclosure provides a processing method, which is executed by a processor for performing a process related to a driving control of a host moving object.
  • the processing method includes: monitoring an abnormality in detection information that is generated by detecting an internal and external environment of the host moving object; and in response to determining the abnormality being occurred, setting a constraint or restriction on the driving control according to the detection information using a safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • FIG. 1 is an explanatory table showing an explanation of terms in the present disclosure.
  • FIG. 2 is an explanatory table showing an explanation of terms in the present disclosure.
  • FIG. 3 is an explanatory table showing an explanation of terms in the present disclosure.
  • FIG. 4 is an explanatory table showing an explanation of terms in the present disclosure.
  • FIG. 5 is an explanatory table showing an explanation of terms in the present disclosure.
  • FIG. 6 is a block diagram showing a processing system according to a first embodiment.
  • FIG. 7 is a schematic diagram showing a traveling environment of a host vehicle to which the first embodiment is applied.
  • FIG. 8 is a block diagram showing a processing system according to the first embodiment.
  • FIG. 9 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 10 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 11 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 12 is a flowchart showing a processing method according to the first embodiment.
  • FIG. 13 is a schematic diagram showing a concept of a safety envelope according to the first embodiment.
  • FIG. 14 is a flowchart showing a restriction or constraint setting subroutine according to the first embodiment.
  • FIG. 15 is a graph showing a safety model according to the first embodiment.
  • FIG. 16 is a graph showing a safety model according to the first embodiment.
  • FIG. 17 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 18 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 19 is a schematic diagram showing sensing under a lane structure according to the first embodiment.
  • FIG. 20 is a schematic diagram showing sensing under a lane structure according to a second embodiment.
  • FIG. 21 is a schematic diagram showing sensing under a lane structure according to a second embodiment.
  • FIG. 22 is a flowchart showing a processing method according to the second embodiment.
  • FIG. 23 is a flowchart showing a restriction or constraint setting subroutine according to the second embodiment.
  • FIG. 24 is a flowchart showing a processing method according to a third embodiment.
  • FIG. 25 is a schematic diagram showing a safety model in a virtual environment according to a fourth embodiment.
  • FIG. 26 is a schematic diagram showing a safety model in a virtual environment according to the fourth embodiment.
  • FIG. 27 is a schematic diagram showing a safety model according to the fourth embodiment.
  • FIG. 28 is a schematic diagram showing a safety model according to the fourth embodiment.
  • FIG. 29 is a schematic diagram showing a safety model according to the fourth embodiment.
  • FIG. 30 is a flowchart showing a processing method according to the fourth embodiment.
  • FIG. 31 is a flowchart showing a restriction or constraint setting subroutine according to the fourth embodiment.
  • FIG. 32 is a schematic diagram showing a safety model according to the fourth embodiment.
  • FIG. 33 is a graph showing a safety model according to the fourth embodiment.
  • FIG. 34 is a graph showing a safety model according to the fourth embodiment.
  • FIG. 35 is a graph showing a safety model according to the fourth embodiment.
  • FIG. 36 is a graph showing a safety model according to the fourth embodiment.
  • FIG. 37 is a flowchart showing a processing method according to a fifth embodiment.
  • FIG. 38 is a flowchart showing a processing method according to a sixth embodiment.
  • FIG. 39 is a flowchart showing a restriction or constraint setting subroutine according to the sixth embodiment.
  • FIG. 40 is a block diagram showing a processing system according to a seventh embodiment.
  • FIG. 41 is a flowchart showing a processing method according to the seventh embodiment.
  • FIG. 42 is a block diagram showing a processing system according to an eighth embodiment.
  • FIG. 43 is a block diagram showing a processing system according to the eighth embodiment.
  • FIG. 44 is a flowchart showing a processing method according to the eighth embodiment.
  • FIG. 45 is a block diagram showing a processing system according to a ninth embodiment.
  • FIG. 46 is a schematic diagram showing a modification example of FIG. 20 .
  • Driving control related to a navigation operation of a host vehicle is planned in accordance with detection information related to an internal and external environment of the host vehicle. Therefore, when it is determined, based on a safety model generated corresponding to a driving policy and detected information, that the vehicle is potentially responsible for an accident, a driving control of the vehicle is restricted or constrained. In such a configuration, it is difficult to ensure an accuracy of the driving control in some cases.
  • a processing method which is executed by a processor for performing a process related to a driving control of a host moving object, includes: monitoring an abnormality in detection information that is generated by detecting an internal and external environment of the host moving object; and in response to determining the abnormality being occurred, setting a constraint or restriction on the driving control according to the detection information using a safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • a processing system which executes a process related to a driving control of a host moving object, includes a computer-readable non-transitory storage medium and a processor, by executing a program stored in the computer-readable non-transitory storage, configured to: monitor an abnormality in detection information that is generated by detecting an internal and external environment of the host moving object; and in response to determining the abnormality being occurred, set a constraint or restriction on the driving control according to the detection information using a safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • a computer-readable non-transitory storage medium which stores instructions of a processing program to be executed by a processor.
  • the processor performs a process related to a driving control of a host moving object by executing the instructions, and the instructions include: monitoring an abnormality in detection information that is generated by detecting an internal and external environment of the host moving object; and in response to determining the abnormality being occurred, setting a constraint or restriction on the driving control according to the detection information using a safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • a processing device which is mountable to a host moving object and executes a process related to a driving control of the host moving object, includes a computer-readable non-transitory storage medium and a processor, by executing a program stored in the computer-readable non-transitory storage, configured to: monitor an abnormality in detection information that is generated by detecting an internal and external environment of the host moving object; and in response to determining the abnormality being occurred, set a constraint or restriction on the driving control according to the detection information using a safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • the constraint or restriction according to the detection information is set to the driving control based on the safety model, which is in compliance with a driving policy and is generated by modeling safety of intended functionality.
  • FIG. 1 to FIG. 5 provide explanations of terms associated with each embodiment of the present disclosure. However, the definitions of terms should not be interpreted as being limited to the explanations shown in FIG. 1 to FIG. 5 . The definitions of terms should be interpreted under a condition that the interpretation does not deviate a spirit of the present disclosure.
  • a processing system 1 of the first embodiment illustrated in FIG. 6 performs a process related to driving control of a host moving object (hereinafter, referred to as an “driving control process”).
  • the host moving object which is a target of driving control process executed by the processing system 1 , is a host vehicle 2 shown in FIG. 7 . From a perspective of the host vehicle 2 , the host vehicle 2 corresponds to an ego-vehicle. For example, when all of the processing system 1 is mounted to the host vehicle 2 , the host vehicle 2 may be referred to as an ego-vehicle with respect to the processing system 1 .
  • the host vehicle 2 performs an automated driving.
  • the automated driving is classified into multiple levels according to a degree of manual intervention by the driver in a dynamic driving task (hereinafter, referred to as “DDT”).
  • the automated driving may be implemented by an autonomous driving control, such as conditional driving automation, advanced driving automation, or full driving automation, where the system in operation performs all of the DDTs.
  • the automated driving may be implemented in advanced driving assistance control, such as driving assistance or partial driving automation, where the driver as a vehicle occupant performs partial or all of the DDTs.
  • the automated driving may be implemented by either autonomous driving control or advanced driving assistance control, combination of autonomous driving control and advanced driving assistance control, or switching between the autonomous control and advanced driving assistance control.
  • the host vehicle 2 is equipped with a sensor system 5 , a communication system 6 , a map DB (Data Base) 7 , and an information presentation system 4 as shown in FIG. 6 and FIG. 8 .
  • the sensor system 5 acquires sensor data, which are usable by the processing system 1 , by detecting an external environment and internal environment of the host vehicle 2 .
  • the sensor system 5 includes an external sensor 50 and an internal sensor 52 .
  • the external sensor 50 may detect an object existing in the external environment of the host vehicle 2 .
  • the external sensor 50 which detects an object, may be at least one of a camera, a LiDAR (Light Detection and Ranging/Laser Imaging Detection and Ranging), a laser radar, a millimeter wave radar, an ultrasonic sonar, or the like.
  • the external sensor 50 may detect a condition of the atmosphere in the external environment of the host vehicle 2 .
  • the external sensor 50 which detects the atmosphere condition, may be at least one of an external temperature sensor or a humidity sensor.
  • the internal sensor 52 may detect a particular physical quantity related to vehicle motion (hereinafter, referred to as a kinetic physical quantity) in the internal environment of the host vehicle 2 .
  • the internal sensor 52 which detects the physical quantity, may be at least one of a speed sensor, an acceleration sensor, a gyro sensor, or the like.
  • the internal sensor 52 may detect a condition of an occupant in the internal environment of the host vehicle 2 .
  • the internal sensor 52 which detects occupant condition, may be at least one of an actuator sensor, a driver status monitor, a biosensor, a seating sensor, an in-vehicle device sensor, or the like.
  • the actuator sensor at least one of an accelerator sensor, a brake sensor, a steering sensor, or the like, which detects a driving operation state of the occupant regarding a motion actuator of the host vehicle 2 , may be used.
  • the communication system 6 acquires, via wireless communication, communication data usable by the processing system 1 .
  • the communication system 6 may receive positioning signals from artificial satellites of GNSS (Global Navigation Satellite System), which exist outside of the host vehicle 2 .
  • the communication system 6 which performs positioning, may be a GNSS receiver or the like.
  • the communication system 6 may transmit and receive communication signals to and from a V2X system, which exists outside of the host vehicle 2 .
  • the communication system 6 which performs V2X communication, may be at least one of a DSRC (Dedicated Short Range Communications) communication device, a cellular V2X (C-V2X) communication device, or the like.
  • DSRC Dedicated Short Range Communications
  • C-V2X cellular V2X
  • the communication system 6 may transmit and receive communication signals to and from a terminal device, which exists inside of the host vehicle 2 .
  • the communication system 6 which communicates with the terminal device, may be at least one of Bluetooth (registered trademark) equipment, Wi-Fi (registered trademark) equipment, infrared communication equipment, or the like.
  • the map DB 7 stores map data, which are usable by the processing system 1 .
  • the DB 7 includes at least one type of non-transitory tangible storage medium such as a semiconductor memory, a magnetic medium, and an optical medium.
  • the map DB 7 may be a database of a locator.
  • the locator estimates state quantities of the host vehicle 2 , which includes its own position.
  • the map DB 7 may be a database of a navigation unit.
  • the navigation unit navigates a route for the host vehicle 2 .
  • the map DB 7 may be implemented as combination of multiple types of DB.
  • the map DB 7 acquires and stores the latest map data through communication with an external center via the communication system 6 of V2X function.
  • the map data is two-dimensional or three-dimensional data representing a traveling environment of the host vehicle 2 .
  • Digital data of a high definition map may be used as the three-dimensional map data.
  • the map data may include road data representing, for example, at least one of positional coordinates of a road structure, road shape, road surface condition of the road.
  • the map data may include, for example, mark data representing at least one of road sign, road marking, and position coordinates and shapes of boundary lines.
  • the mark data included in the map data may represent a traffic sign, an arrow marking, a lane marking, a stop line, a direction sign, a landmark beacon, a rectangular-shaped sign, a business sign, a line pattern change of the road, or the like among the landmark.
  • the map data may include, for example, structure data representing at least one of the position coordinates and shapes of buildings and traffic lights, which face the road.
  • the mark data included in the map data may represent a streetlight, an edge of road, a reflective plate, a pole, or a back surface of the road sign among the landmark.
  • the information presentation system 4 presents notification information to occupants including the driver of the host vehicle 2 .
  • the information presentation system 4 includes a visual presentation unit, an auditory presentation unit, and a tactile presentation unit.
  • the visual presentation unit presents notification information by stimulating the visual sense of an occupant.
  • the visual presentation unit is at least one of, for example, a HUD (Head-up Display), an MFD (Multi Function Display), a combination meter, a navigation unit, a light emitting unit, and the like.
  • the auditory presentation unit presents notification information by stimulating auditory sense of an occupant.
  • the auditory presentation unit is, for example, at least one type of speaker, buzzer, vibration unit, and the like.
  • the tactile presentation unit presents notification information by stimulating cutaneous sense of an occupant.
  • the cutaneous sense stimulated by the tactile presentation unit includes at least one of tactile sense, temperature sense, wind sense, and the like.
  • the tactile presentation unit is, for example, at least one of a steering wheel vibration unit, a driver's seat vibration unit, a steering wheel reaction force unit, an accelerator pedal reaction force unit, a brake pedal reaction force unit, and an air conditioning unit.
  • the processing system 1 is connected to the sensor system 5 , the communication system 6 , the map DB 7 , and the information presentation system 4 via at least one of a LAN (Local Area Network), a wire harness, an internal bus, a wireless communication line, and the like.
  • the processing system 1 includes at least one dedicated computer.
  • the dedicated computer that constitutes the processing system 1 may be an integrated ECU (Electronic Control Unit) that integrates driving controls of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be a determination ECU that is configured to determine the DDT for the driving control of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be a monitoring ECU that monitors the driving control of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be an evaluation ECU that evaluates the driving control of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be a navigation ECU that navigates a travel route of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be a locator ECU that estimates a state quantity of the host vehicle 2 , and the state quantity includes the position of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be an actuator ECU that controls motion actuators of the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be an HCU (Human Machine Interface Control Unit, HMI Control Unit) that controls information presentation in the host vehicle 2 .
  • the dedicated computer that constitutes the processing system 1 may be at least one external computer that is included in an external center or a mobile terminal device, which is configured to perform communication via, for example, the communication system 6 , with the host vehicle 2 .
  • the dedicated computer of the processing system 1 has at least one memory 10 and at least one processor 12 .
  • the memory 10 is at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, for storing, in non-transitory manner, computer readable programs and data.
  • the processor 12 includes, as a core, at least one of, for example, a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), an RISC (Reduced Instruction Set Computer) CPU, and the like.
  • the processor 12 executes multiple instructions included in a processing program stored in the memory 10 as software. Accordingly, the processing system 1 functions as multiple functional blocks to perform driving control process of the host vehicle 2 . As described above, in the processing system 1 , the functional blocks are implemented by the processor 12 , which executes multiple instructions of processing programs stored in the memory 10 for performing the driving control process of the host vehicle 2 . As shown in FIG. 8 , the functional blocks implemented by the processing system 1 include a sensing block 100 , a planning block 120 , a risk supervising block 140 , and a control block 160 .
  • the sensing block 100 acquires sensor data from the external sensor 50 and the internal sensor 52 of the sensor system 5 .
  • the sensing block 100 acquires communication data from the communication system 6 .
  • the sensing block 100 acquires map data from the map DB 7 .
  • the sensing block 100 senses internal environment and external environment of the host vehicle 2 by fusing multiple types of acquired data as inputs. By detecting the internal environment and external environment, the sensing block 100 generates detection information to be transmitted to the planning block 120 and the risk supervising block 140 in a latter stage.
  • the sensing block 100 When generating the detection information, acquires data from the sensor system 5 and the communication system 6 , recognizes or comprehends the meaning of acquired data, determines situation of the host vehicle 2 in the external environment and in the internal environment, and determines general situation of the host vehicle 2 including the internal environment condition of the host vehicle 2 by integrating the acquired data.
  • the sensing block 100 may provide substantially the same detection information to both the planning block 120 and the risk supervising block 140 .
  • the sensing block 100 may provide detection information to the planning block 120 , and provides different detection information to the risk supervising block 140 .
  • the detection information generated by the sensing block 100 describes a state of traveling environment of the host vehicle 2 detected for each scene.
  • the sensing block 100 may detect objects, including road users, obstacles, and structures in the external environment of the host vehicle 2 to generate the detection information of the object.
  • the detection information of object may represent at least one of, for example, a distance to the object, a relative velocity relative to the object, a relative acceleration relative to the object, and an estimated state based on tracking detection of the object.
  • the detection information of object may further represent a type recognized or identified based on the state of detected object.
  • the sensing block 100 may generate detection information of a travel route by detecting a travel route along which the host vehicle 2 is currently traveling and plans to travel in future.
  • the detection information of travel route may represent, for example, at least one of states among a road surface, a lane, a roadside, a free space, and the like.
  • the sensing block 100 may generate detection information of a self-state quantity including position information of the host vehicle 2 by localization to presumptively detect the self-state quantity.
  • the sensing block 100 may generate update information of the map data regarding the travel route of the host vehicle 2 at the same time as generating the detection information of the self-state quantity, and provide the update information to the map DB 7 as feedback.
  • the sensing block 100 may detect a mark associated with the travel route of the host vehicle 2 to generate the detection information of mark.
  • the detection information of mark may represent at least one of, for example, a traffic sign, a lane marking, a traffic light, or the like.
  • the detection information of mark may also represent a traffic rule that is recognized or identified from the state of traffic sign.
  • the sensing block 100 may generate the detection information of weather condition by detecting the weather condition for each scene in which the host vehicle 2 is traveling.
  • the sensing block 100 may generate the detection information of time by detecting a time for each driving scene of the host vehicle 2 .
  • the planning block 120 acquires the detection information from the sensing block 100 .
  • the planning block 120 plans driving control of the host vehicle 2 according to the acquired detection information.
  • control commands related to the navigation operation and driver assistance operation of the host vehicle 2 are generated. That is, the planning block 120 implements DDT function that generates a control command as a motion control request for host vehicle 2 .
  • the control command generated by the planning block 120 may include control parameters for controlling motion actuators of the host vehicle 2 .
  • the motion actuators to which control commands are output include, for example, at least one of an internal combustion engine, an electric motor, a power train in which the internal combustion engine is combined with the motor, a braking device, a steering device, and the like.
  • the planning block 120 may use a safety model, which is described according to a driving policy and safety of driving policy, to generate the control commands in compliance with the driving policy.
  • the driving policy according to which the safety model is generated, may be defined, for example, based on a vehicle level safety strategy that guarantees Safety Of The Intended Functionality (hereinafter, referred to as SOTIF).
  • SOTIF vehicle level safety strategy that guarantees Safety Of The Intended Functionality
  • the safety model is described to follow the driving policy that implements the vehicle level safety strategy, and is generated by modeling the SOTIF.
  • the planning block 120 may perform training on the safety model with a machine learning algorithm that performs back-propagations of driving control results to the safety model.
  • a learning model may be used among deep learning by a neural network such as DNN (Deep Neural Network), reinforcement learning, and the like.
  • the safety model may be defined as safety-related models that express safety-related aspects of driving behaviors based on an assumption about reasonably foreseeable behaviors of other road users.
  • the safety model may be defined as a model configuring a part of the safety-related models.
  • Such a safety model may be configured in at least one form of, for example, a mathematical model that formulates vehicle level safety or a computer program that executes processes according to the mathematical model.
  • the planning block 120 may make a plan for a future route along which the host vehicle 2 plans to travel with the driving control prior to generating the control commands.
  • the path planning may be performed computationally, for example, by simulation to navigate the host vehicle 2 based on the detection information. That is, the planning block 120 may implement DDT function to plan a route as a strategic action of the host vehicle 2 .
  • the planning block 120 may also plan a proper trajectory based on the acquired detection information for the host vehicle 2 , which travels along the planned route, prior to generating the control commands. That is, the planning block 120 may implement DDT function to plan a trajectory for the host vehicle 2 .
  • the trajectory planned by the planning block 120 may define chronologically at least one of a traveling position, a speed, an acceleration, and a yaw rate as a kinetic physical quantity relating to the host vehicle 2 .
  • the chronological trajectory plan builds a scenario of future travel for the host vehicle 2 by navigation.
  • the planning block 120 may generate the trajectory based on a plan using the safety model.
  • the safety model may be trained by a machine learning algorithm based on computation results by computing a cost function that assigns a cost to the generated trajectory.
  • the planning block 120 may make a plan for adjusting the levels of driving automation for the host vehicle 2 according to the acquired detection information. Adjusting the levels of driving automation may include takeover between automated driving and manual driving.
  • ODD Operational Design Domain
  • the exiting scenario from the ODD that is, the takeover scenario from automated driving to manual driving includes, as a use case, an unreasonable situation in which an unreasonable risk is determined to exist based on, for example, the safety model.
  • the planning block 120 may plan a DDT fallback for the driver who is a fallback ready user to perform a minimum risk maneuver to the host vehicle 2 to control the host vehicle 2 to shift to a minimum risk condition.
  • Adjusting the levels of driving automation may include a degraded traveling of the host vehicle 2 .
  • the degraded traveling scenario includes, as a use case, an unreasonable situation in which an unreasonable risk is determined to exist due to takeover to the manual driving based on, for example, the safety model.
  • the planning block 120 may plan DDT fallback to control the host vehicle 2 to shift to a minimum risk condition by performing autonomous driving or autonomous stop.
  • the DDT fallback for controlling the host vehicle 2 to shift to the minimum risk condition is not only implemented by adjusting the levels of driving automation, but also adjusting such as MRM (Minimum Risk Maneuver) or the like to perform a degraded traveling while maintaining the levels of driving automation.
  • the DDT fallback for controlling the host vehicle 2 to shift to the minimum risk condition may enhance the prominence of the shift situation by at least one of, for example, lighting, horns, signals, and gestures.
  • the risk supervising block 140 acquires the detection information from the sensing block 100 .
  • the risk supervising block 140 monitors a risk between the host vehicle 2 and a target moving object 3 (see FIG. 7 ) for each scene based on the acquired detection information.
  • the risk supervising block 140 chronologically performs risk monitoring based on the detection information so as to guarantee the SOTIF of the host vehicle 2 with respect to the target moving object 3 .
  • the target moving object 3 assumed in the risk monitoring is other road users existing in the traveling environment of the host vehicle 2 .
  • the target moving object 3 includes non vulnerable road users such as automobiles, trucks, motorbikes, and bicycles, and vulnerable road users such as pedestrians.
  • the target moving object 3 may further include an animal.
  • the risk supervising block 140 sets, based on the acquired detection information acquired for each scene, a safety envelope that ensures SOTIF of the host vehicle 2 based on, for example, a vehicle level safety strategy.
  • the risk supervising block 140 may set the safety envelope between the host vehicle 2 and the target moving object 3 using the safety model, which conforms to the driving policy as described above.
  • the safety model used to set the safety envelope may be designed to avoid, in accordance with accident liability rules, potential accident liability resulting from an unreasonable risk or road user misuse.
  • the safety model may be designed such that the host vehicle 2 complies with the accident liability rules, which is compliant with the driving policy.
  • a safety model includes, for example, a Responsibility Sensitive Safety model as disclosed in JP 6708793 B2.
  • the safety envelope may be defined as a set of limitations and conditions under which the system is designed to act as a target of a constraint/restriction or control to maintain operation within an acceptable level of risk.
  • a safety envelope may be defined as a physical-based margin around each road user including the host vehicle 2 and the target moving object 3 .
  • the safety envelope may be set with a margin relating to at least one physical quantity such as a distance, velocity, or acceleration.
  • a safety distance may be assumed from a profile relating to at least one kinematic quantity, based on the safety model for the host vehicle 2 and the target moving object 3 that are assumed to comply with the driving policy.
  • the safety distance defines boundary ensuring a physical-based margin around the host vehicle 2 for the expected motion of the target moving object 3 .
  • the safety distance may be assumed in view of the response time until a proper response is taken by the road user.
  • the safety distance may be assumed to comply with accident liability regulations. For example, in a scene where a lane structure such as lanes exist, a safety distance in the longitudinal direction of the host vehicle 2 for avoiding the risk of rear-end collision and head-on collision and a safety distance in the lateral direction of the host vehicle 2 for avoiding the risk of side collision may be calculated. In a scene where no lane structure exists, a safety distance to avoid the risk of collision of trajectory of the host vehicle 2 in any direction may be calculated.
  • the risk supervising block 140 may identify a scene-by-scene situation of relative motion between the host vehicle 2 and the target moving object 3 prior to setting the safety envelope as described above. For example, in a scene where a lane structure such as lanes exist, a situation where the risk of rear-end collision and head-on collision is assumed in the longitudinal direction or a situation where the risk of side collision is assumed in the lateral direction may be identified. In identifying these longitudinal and lateral situations, the state quantity relating to the host vehicle 2 and the target moving object 3 may be transformed into a coordinate system that assumes a lane structure with straight lanes. In a scene where no lane structure exists, a situation where a risk of collision of trajectory in a direction of the host vehicle 2 may be identified. For the above-described situation identification function, the situation identification result may be given to the risk supervising block 140 as the detection information by executing at least part of the situation identification function using the sensing block 100 .
  • the risk supervising block 140 executes a safety evaluation between the host vehicle 2 and the target moving object 3 based on the set safety envelope and the acquired detection information for each scene. That is, the risk supervising block 140 tests whether the driving scene interpreted based on the detection information between the host vehicle 2 and the target moving object 3 causes a safety envelope violation that is a violation of the safety envelope, thereby implementing the safety evaluation.
  • a safety distance is assumed in setting the safety envelope, no occurrence of violation of the safety envelope may be determined when the actual distance between the host vehicle 2 and the target moving object 3 exceeds the safety distance.
  • the safety envelope may be determined to be violated.
  • the risk supervising block 140 may calculate a reasonable scenario through simulation to provide the host vehicle 2 with a proper action to be taken in response to a determination that the safety envelope has been violated as a proper response.
  • a reasonable scenario simulation by estimating a state transition between the host vehicle 2 and the target moving object 3 , an action to be taken for each transition state is set as a constraint/restriction (which will be described later) on the host vehicle 2 .
  • a constraint/restriction value assumed for a kinetic physical quantity may be calculated so as to limit, as a constraint/restriction on the host vehicle 2 , at least one type of the kinetic physical quantity given to the host vehicle 2 .
  • the risk supervising block 140 may directly calculate the constraint/restriction value to comply with the accident liability rules from the profile relating to at least one type of the physical quantity. It may be said that the direct calculation of the constraint/restriction value is setting of the safety envelope, and also the direct calculation of the constraint/restriction value is setting of constraint/restriction on the driving control. Therefore, when an actual value that is safer than the constraint/restriction value is detected, the safety envelope may be determined to be not violated. On the other hand, when an actual value beyond the constraint/restriction value is detected, the safety envelope may be determined to be violated.
  • the risk supervising block 140 may store, in the memory 10 , at least one type of evidence information such as detection information used to set the safety envelope, determination information indicative of the determination result of the safety envelope, detection information having an effect on the determination result, and simulated scenarios.
  • the memory 10 that stores the evidence information may be installed inside the host vehicle 2 or installed at an external center outside of the host vehicle 2 according to the type of the dedicated computer that constitutes the processing system 1 .
  • the evidence information may be stored in unencrypted, encrypted or hashed state.
  • the evidence information may be stored at least when the safety envelope is determined to be violated.
  • the evidence information may be stored even when the safety envelope is determined to be not violated.
  • the evidence information when no violation of the safety envelope is determined can be used as a lagging measure at the time of storing and also be used as a leading measure in future.
  • the control block 160 acquires a control command from the planning block 120 .
  • the control block 160 acquires the determination information on the safety envelope from the risk supervising block 140 . That is, the control block 160 implements a DDT function that controls the motion of the host vehicle 2 .
  • the control block 160 executes the planned driving control of the host vehicle 2 in accordance with the control command when the control block 160 acquires the determination information indicating that the safety envelope is not violated.
  • the control block 160 When the control block 160 acquires the determination information indicating that the safety envelope is violated, the control block 160 imposes a constraint/restriction on the planned driving control of the host vehicle 2 according to the driving policy based on the determination information.
  • the constraint/restriction on the driving control may be functional restrictions.
  • the constraint/restriction on the driving control may be degraded constraints.
  • the constraint/restriction on the driving control may be a different constraint/restriction from the above-described constraints/restriction.
  • the constraint/restriction on the driving control may be implemented by constraining/restricting the control command.
  • the control block 160 When a reasonable scenario is simulated by the risk supervising block 140 , the control block 160 may constrain/restrict the control command according to that scenario.
  • the control parameter of the motion actuator included in the control command may be corrected based on the constraint/restriction value.
  • the first embodiment assumes a lane structure Ls with a separated lane.
  • the lane structure Ls with a direction in which the lane extends as the longitudinal direction imposes a constraint/restriction on the motion of the host vehicle 2 and the target moving object 3 .
  • the lane structure Ls with a width direction of the lane or a direction in which the lanes are arranged as the lateral direction imposes a constraint/restriction on the motion of the host vehicle 2 and the target moving object 3 .
  • the driving policy between the host vehicle 2 and the target moving object 3 in the lane structure Ls is defined by the following (A) to (E), for example.
  • a forward direction with respect to the host vehicle 2 is, for example, a traveling direction on a turning circle at the current steering angle of the host vehicle 2 , a traveling direction of a straight line that passes through the center of gravity of the host vehicle 2 and is perpendicular to the axle of the host vehicle 2 , or a traveling direction along an axial line of the FOE (Focus of Expansion) of the camera from the front camera module in the sensor system 5 of the host vehicle 2 .
  • the action of the road user which does not lead to an unreasonable situation is assumed to be a reasonable action that is required to be taken by the road user.
  • the unreasonable situation between the host vehicle 2 and the target moving object 3 in the lane structure Ls is a head-on collision, a rear-end collision, and a side collision.
  • the target moving object 3 for the host vehicle 2 is a target vehicle 3 a
  • the reasonable action in a head-on collision situation includes, for example, applying brakes to the vehicle traveling in the opposite direction.
  • the reasonable action in a rear-end collision situation includes, for example, not applying sudden brakes with a certain level or more brake amount in the preceding vehicle and avoiding the rear-end collision by the preceding vehicle on the premise that the preceding vehicle does not make a sudden deceleration.
  • the reasonable action in a side collision situation includes, for example, steering each of the vehicles traveling side by side in a direction away from one another.
  • the state quantities related to the host vehicle 2 and the target moving object 3 are converted into, regardless of whether the lane structure Ls has a curved lane or the lane structure Ls has an undulating lane, a Cartesian coordinate system defining the longitudinal direction and the lateral direction assuming a linear and planar lane structure Ls.
  • the safety model may be designed according to accident liability rules which assume that a moving object that does not take a reasonable action would be responsible for the accident.
  • a safety envelope is set for the host vehicle 2 so as to avoid a potential accident liability by taking a reasonable action.
  • the risk supervising block 140 determines whether violation of the safety envelope occurs by comparing an actual distance between the host vehicle 2 and the target moving object 3 with the safety distance that is set based on the safety model for each driving scene.
  • the risk monitoring block 140 in a normal situation simulates a scenario for giving a reasonable action to the host vehicle 2 .
  • the risk supervising block 140 sets, as a constraint/restriction on the driving control performed by the control block 160 , a constraint/restriction value regarding at least one of speed or acceleration, for example.
  • the violation determination function and the constraint/restriction setting function in a normal situation are referred to as a normal safety function.
  • each “S” in the processing method indicates each step executed by each instruction included in a processing program.
  • the sensing block 100 monitors the abnormality of the detection information in time series for each control cycle.
  • the abnormality in the first embodiment includes a sensing abnormality of the sensor system 5 mounted on the host vehicle 2 .
  • the sensor system functions as a generation source of the detection information.
  • Examples of the sensing abnormality include an abnormality in which the detection information itself cannot be generated or an abnormality in which the accuracy or reliability of the detection information decreases due to at least one factors.
  • the factors may include an abnormality in the external sensor 50 of the sensor system 5 , a disturbance including a weather influence on the external sensor 50 of the sensor system 5 , or a detection limit including a blind spot of the external sensor 50 of the sensor system 5 .
  • the external sensor 50 of the first embodiment includes a single longitudinal sensor 500 in which a detection range As is set with respect to the longitudinal direction of the host vehicle 2 .
  • the external sensor 50 of the first embodiment also includes multiple lateral direction sensors 501 , 502 which have mutually adjacent detection ranges As.
  • the adjacent detection ranges are respectively set by the multiple sensors to have substantially the same size in the lateral direction of the host vehicle 2 . Therefore, in S 100 , the sensing block 100 determines that an abnormality has occurred in the detection information when a sensing abnormality is confirmed in the detection range As of any one of the longitudinal sensor 500 and the lateral sensor 501 , 502 .
  • the processing method proceeds to S 101 and S 102 in parallel.
  • the sensing block 100 determines that no abnormality has occurred in the normal detection information
  • the current flow of the processing method ends.
  • scene information regarding a traveling scene at the time of occurrence of the abnormality may be stored in the memory 10 .
  • the scene information for example, among abnormality content of the detection information, a set range of the safety envelope, violation content of the safety envelope, information of a virtual moving object (described later), a setting result of the constraint/restriction, presence or absence of degradation, driving control result, time stamp of specific date and time as a start point, current date and time, at least the abnormality content of the detection information may be stored or at least two types of the information may be stored in association with one other.
  • the scene information regarding a traveling scene at the time of abnormality occurrence may be presented to the occupant through the information presentation system 4 .
  • the scene information for example, among abnormality content of the detection information, a set range of the safety envelope, violation content of the safety envelope, information of a virtual moving object (described later), a setting result of the constraint/restriction, presence or absence of degradation, driving control result, time stamp of specific date and time as a start point, current date and time, at least the abnormality content of the detection information may be presented or at least two types of the information may be presented in association with one other.
  • the monitoring and determination at S 100 may be performed by at least one of the planning block 120 and the risk supervising block 140 .
  • the planning block 120 plans the driving control for executing the degraded traveling or the takeover to the manual driving for each control cycle in time series, as the adjustment of levels of driving automation in the host vehicle 2 .
  • FIG. 13 schematically illustrates that the driving control commanded to the control block 160 is degraded at the occurrence time of abnormality indicated by a thick dashed line rather than at the normal time indicated by a thin dashed line. That is, it can be said that the planning block 120 plans, in S 101 , the degradation of driving control. In S 101 , the planning block 120 may plan to continue the driving control with best effort without degrading the driving control to be instructed to the control block 160 .
  • the risk supervising block 140 sets the constraint/restriction to be applied to the driving control planned in S 101 for each control cycle in time series based on the safety model of the lane structure Ls.
  • the constraint/restriction setting function at the occurrence time of abnormality can further degrade the constraint/restriction on the driving control compared with the normal time safety function.
  • the constraint/restriction setting subroutine may be started simultaneously with the start of degradation of driving control in S 101 .
  • the constraint/restriction setting subroutine may be started after waiting for a predetermined control cycle of the driving control from the start of degradation of driving control in S 101 .
  • the constraint/restriction setting subroutine may be started earlier by a predetermined control cycle than the start of degradation of driving control in S 101 .
  • the risk supervising block 140 determines whether a target moving object 3 is present in a detection range As of abnormality occurrence target in a traveling scene before occurrence of abnormality. When the risk supervising block 140 determines that a target moving object 3 is not present in the detection range As, the constraint/restriction setting subroutine proceeds to S 111 . When the risk supervising block 140 determines that a target moving object 3 is present in the detection range As, the constraint/restriction setting subroutine proceeds to S 112 .
  • the risk supervising block 140 virtually sets the target moving object 3 at a distant point Pf located at a detection limit distance within the detection range As of the abnormality occurrence target. That is, the position of target moving object 3 serving as the virtual moving object is assumed to be the distant point Pf located at the detection limit distance.
  • the distant point Pf is defined at a location at a detection limit distance which is the longest distance in the longitudinal direction or the lateral direction of the detection range As.
  • a speed limit value in the longitudinal direction or in the lateral direction according to the detection range As of the abnormality occurrence target is set as the constraint/restriction on the driving control of the host vehicle 2 based on the safety model of the lane structure Ls between the target moving object 3 at the distant point Pf and the host vehicle 2 .
  • the constraint/restriction and the safety model used for setting the constraint/restriction are assumed by at least one of, for example, model switching, parameter adjustment, and the like in accordance with the scene of abnormality occurrence.
  • the safety model related to the lane structure Ls is assumed for the type of target moving object 3 , which is recognized or estimated from the detection information before the occurrence of abnormality.
  • the upper limit speed v r,max which is the speed limit value assumed in the longitudinal direction, is calculated by the following equations 1 and 2 as a speed at which the host vehicle 2 can safely stop within the detection limit distance d s from the longitudinal sensor 500 to the distant point Pf as shown in FIG. 9 and FIG. 10 .
  • Equations 1 and 2 are functional equations related to the acceleration/deceleration profile defined based on the safety model shown in FIG. 15 .
  • d f is a distance by which the target moving object 3 stops in the longitudinal direction according to the acceleration/deceleration profile based on the safety model.
  • a r is the maximum acceleration of the host vehicle 2 in the longitudinal direction.
  • b r is the minimum deceleration of the host vehicle 2 in the longitudinal direction.
  • a f is the maximum acceleration of the target moving object 3 in the longitudinal direction.
  • b f,min is the minimum deceleration of the target moving object 3 .
  • b f,max is the maximum deceleration of the target moving object 3 in the longitudinal direction.
  • is the response time of the host vehicle 2 and the target moving object 3 .
  • v f is the speed of the target moving object 3 in the longitudinal direction.
  • v r , max b r ( 2 ⁇ d s - d f + b r ⁇ ⁇ 2 + a r ⁇ ⁇ 2 ) - ( a r + b r ) ⁇ ⁇ ( Equation ⁇ 1 )
  • d f ⁇ - v f 2 ⁇ b f , max , for ⁇ v f > 0 ( v f - ( a f + b f , min ) ⁇ ⁇ ) 2 2 ⁇ b f , min - a f + b f , min 2 ⁇ ⁇ 2 , for ⁇ v f ⁇ 0 ( Equation ⁇ 2 )
  • the speed v f may be set to the maximum speed assumed for the target moving object 3 based on, for example, the legal speed.
  • the speed v f may be set to zero (0).
  • the scene where only the target moving object 3 is responsible for an accident even in a head-on collision may include a traveling scene where the lane structure Ls is one-way structure, or the lane structure Ls has a median strip or the like
  • the speed v f may be set to a maximum speed of head-on collision in which a safety distance assumed by the safety model in the normal safety function is long.
  • the speed v f of the target moving object 3 in the longitudinal direction may be set to a speed assumed based on at least one of the road width, the traveling data of the host vehicle 2 and the target moving object 3 in the past, the current speed of the surrounding environment, in a first scene where the maximum speed is not regulated although the risk of head-on collision is assumed.
  • the speed assumed at this time may be initially set based on data obtained by a demonstration experiment and then updated based on data obtained by a market environment.
  • the speed of may be set to the maximum speed.
  • the speed if of the target moving object 3 in the longitudinal direction may be set to zero (0) in a third scene where the minimum speed is not regulated since the risk of head-on collision is not assumed.
  • the speed v f may be set to the minimum speed in a fourth scene where the minimum speed is regulated when the risk of head-on collision is not assumed.
  • the safety distance in the longitudinal direction as the safety envelope becomes shorter in the order of the first, second, third, and fourth scenes.
  • the upper limit speed v r,max of the host vehicle 2 in the longitudinal direction increases in the order of the first, second, third, and fourth scenes.
  • the upper limit speed v 1,max which is the speed limit value assumed in the lateral direction, is calculated by the following equations 3 and 4 as a speed at which the host vehicle 2 can safely stop within the detection distance d s from one of a first lateral sensor 501 or a second lateral sensor 502 to the distant point Pf as shown in FIG. 11 .
  • Equations 3 and 4 are functional equations related to the acceleration/deceleration profile defined based on the safety model shown in FIG. 16 .
  • d 2 is a distance by which the target moving object 3 stops in the lateral direction according to the acceleration/deceleration profile based on the safety model.
  • a 1 is the maximum acceleration of the host vehicle 2 in the lateral direction.
  • b 1 is the minimum deceleration of the host vehicle 2 in the lateral direction.
  • a 2 is the maximum acceleration of the target moving object 3 in the lateral direction.
  • b 2 is the minimum deceleration of the target moving object 3 in the lateral direction.
  • is the response time of the host vehicle 2 and the target moving object 3 .
  • v 1 is the velocity of the host vehicle 2 in the lateral direction.
  • v 2 is the velocity of the target moving object 3 in the lateral direction.
  • v 1 , max ⁇ ⁇ b 1 ( 2 ⁇ d S - d 2 + b 1 ⁇ ⁇ 2 + a 1 ⁇ ⁇ 2 ) - ( a 1 + b 1 ) ⁇ ⁇ , for ⁇ v 1 + a 1 ⁇ ⁇ > 0 ⁇ , for ⁇ v 1 + a 1 ⁇ ⁇ ⁇ 0 ( Equation ⁇ 3 )
  • d 2 ⁇ ( v 2 - ( a 2 + b 2 ) ⁇ ⁇ ) 2 2 ⁇ b 2 - a 2 + b 2 2 ⁇ ⁇ 2 , for ⁇ v 2 - a 2 ⁇ ⁇ ⁇ 0 0 , for ⁇ v 2 - a 2 ⁇ ⁇ ⁇ 0 ( Equation ⁇ 4 )
  • the speed v 2 may be set to the maximum speed assumed for the target moving object 3 based on, for example, the legal speed.
  • the maximum speed of target moving object 3 may be assumed to be a speed based on at least one of a road width, past traveling data of the host vehicle 2 and the target moving object 3 , a current speed of the surrounding environment, and the like.
  • the maximum speed assumed at this time may be initially set based on data obtained by a demonstration experiment and then updated based on data obtained by a market environment.
  • FIG. 13 schematically illustrates that the constraint/restriction imposed on degraded driving control is further degraded at the occurrence time of abnormality as indicated by a thick solid line, compared with the normal time indicated by a thin solid line. Therefore, in S 111 , the risk supervising block 140 may determine a violation of the safety envelope based on the upper limit speed v r,max or the upper limit speed v 1,max serving as the constraint/restriction. At this time, when the host vehicle 2 exceeds the upper limit speed v r,max or exceeds the upper limit speed v 1,max , violation of the safety envelope may be determined.
  • the risk supervising block 140 virtually sets the target moving object 3 at an estimated position Pp estimated based on the position of the target moving object 3 before the occurrence of abnormality.
  • the position of target moving object 3 serving as the virtual moving object is assumed to be the estimated position Pp.
  • the estimated position Pp may be assumed to be a position where the target moving object 3 is present in the traveling scene before the occurrence of abnormality in the detection range As of abnormality occurrence target.
  • the estimated position Pp may be calculated from the speed and the elapsed time at the position where the target moving object 3 is present in the traveling scene before the occurrence of abnormality in the detection range As of abnormality occurrence target.
  • the estimated position Pp may be set to one of the assumed position or the calculated position, which has a higher risk. For these reasons, in S 112 , the constraint/restriction on the driving control of the host vehicle 2 is set based on the safety model of the lane structure Ls as in S 111 except that the distant point Pf is replaced with the estimated position Pp. In S 112 , violation of the safety envelope may be determined similar to S 111 .
  • the processing method proceeds from S 101 and S 102 to S 103 , which is in common.
  • the control block 160 applies the constraint/restriction, which is set by the risk supervising block 140 in S 111 or S 112 of the constraint/restriction setting subroutine of S 102 , to the driving control planned in S 101 .
  • the constrained/restricted speed of the host vehicle 2 By limiting the constrained/restricted speed of the host vehicle 2 to equal to or lower than the upper limit speed v r,max or the upper limit speed v 1,max , it is possible to avoid violation of the safety envelope.
  • the constraint or restriction according to the detection information is set to the driving control based on the safety model, which is in compliance with the driving policy and is generated by modeling SOTIF. According to the above configuration, it is possible to secure the accuracy of driving control by properly setting the constraint or restriction in a scene where the abnormality is occurred in the detection information, specifically in a scene where sensing abnormality is occurred as described in the first embodiment.
  • a second embodiment is a modification of the first embodiment.
  • the external sensor 50 of the second embodiment includes multiple longitudinal sensors 2501 , 2502 having respective detection ranges As set partially overlapped one another with respect to the longitudinal direction of the host vehicle 2 .
  • a second longitudinal sensor 2502 is configured to have a longer detection limit distance, which is set along a detection angle at which the detection ranges As overlap with one another, from the host vehicle 2 compared with a detection limit distance of a first longitudinal sensor 2501 .
  • the first longitudinal sensor 2501 corresponds to a “first sensor”
  • the second longitudinal sensor 2502 corresponds to a “second sensor”.
  • the process determines that an abnormality is occurred in the detection information, as illustrated in FIG. 22 , the process proceeds from the abnormality occurrence determination in S 100 to S 2100 .
  • the sensing block 100 determines whether the external sensor 50 in which an abnormality is determined to be occurred as a failure is the second longitudinal sensor 2502 .
  • the processing method proceeds to S 101 and S 102 in parallel.
  • the sensing block 100 determines that the external sensor 50 determined to have the sensing abnormality is the second longitudinal sensor 2502 in S 2100
  • the processing method proceeds to S 2101 and S 2102 in parallel.
  • the determination at S 2100 may be performed by at least one of the planning block 120 and the risk supervising block 140 .
  • the planning block 120 plans degradation of the driving control in accordance with S 101 .
  • the risk supervising block 140 sets the constraint/restriction to be applied to the driving control planned in S 2101 based on the safety model of the lane structure Ls. As shown in FIG. 23 , in the process of setting the constraint/restriction at the occurrence time of abnormality, the constraint/restriction on the driving control is set according to a subroutine different from that in S 101 and is further degraded compared with the normal safety function.
  • the execution timing of S 2101 and S 2102 may be adjusted according to the execution time of S 101 and S 102 .
  • the risk supervising block 140 virtualizes the target moving object 3 at multiple positions as illustrated in FIG. 20 .
  • a distant point Pf 2 of the detection limit distance in the detection range As of the second longitudinal sensor 2502 in which the abnormality is occurred and a distant point Pf 1 of the detection limit distance in the detection range As of the normal first longitudinal sensor 2501 are assumed.
  • the constraint/restriction based on the safety model between the target moving object 3 at the distant point Pf 2 and the host vehicle 2 is gradually changed to the constraint/restriction based on the safety model between the target moving object 3 at the distant point Pf 1 and the host vehicle 2 with a progress of the control cycle.
  • the upper limit speed v r,max in the longitudinal direction based on the safety model or the upper limit speed v 1,max in the lateral direction based on the safety model may gradually change from the value set at the distant point Pf 2 to the value set at the distant point Pf 1 with a predetermined deceleration interval (for example, 0.2 G or the like).
  • the risk supervising block 140 virtualizes the target moving object 3 at multiple positions as illustrated in FIG. 21 .
  • an estimated position Pp based on a presence position of the target moving object 3 prior to abnormality occurrence in the detection range As of the second longitudinal sensor 2502 and a distant point Pf 1 of the detection limit distance in the detection range As of the normal first longitudinal sensor 2501 are assumed.
  • the constraint/restriction based on the safety model between the target moving object 3 at the estimated position Pp and the host vehicle 2 is gradually changed to the constraint/restriction based on the safety model between the target moving object 3 at the distant point Pf 1 and the host vehicle 2 with a progress of the control cycle.
  • the upper limit speed v r,max in the longitudinal direction based on the safety model or the upper limit speed v 1,max in the lateral direction based on the safety model may gradually change from the value set at the estimated position Pp to the value set at the distant point Pf 1 with a predetermined deceleration interval (for example, 0.2 G or the like).
  • violation of the safety envelope may be determined similar to S 111 .
  • the processing method proceeds from S 2101 and S 2102 to a common S 103 , and from S 101 and S 102 to a common S 103 .
  • it is possible to secure the accuracy of the driving control by setting a proper constraint/restriction for each sensing abnormality of the multiple sensors 2501 and 2502 having different detection limit distances from one another.
  • a third embodiment is a modification of the first embodiment.
  • S 3100 is executed instead of S 100 described above.
  • the abnormality monitored by the sensing block 100 in S 3100 includes accuracy abnormality of information related to a distance to the target moving object 3 included in the detection information.
  • Examples of the accuracy abnormality may include an abnormality in which the sensing block 100 fails to generate normal distance information due to at least one of an abnormality of a millimeter wave radar that is excellent in detection of distance to the target moving object 3 in the sensor system 5 , a disturbance including weather influence, a detection limit including a blind spot of the millimeter wave radar, and the like.
  • S 3100 of the third embodiment may be specifically executed when an accuracy abnormality, which is also referred to as sensing abnormality, occurs in S 101 of the first and second embodiments.
  • the processing method proceeds to S 101 and S 102 in parallel, and then proceeds to S 103 .
  • the normal safety function may be executed instead of executing S 102 .
  • a constraint/restriction such as an acceleration limit value may be set based on a safety model.
  • a distance, a speed, and a direction of the target moving object 3 may be respectively assumed to be the minimum value, the maximum value, and a traveling direction opposite to the host vehicle 2 as the worst case.
  • a fourth embodiment is a modification of the first embodiment.
  • the fourth embodiment assumes a virtual environment 4004 in which the host vehicle 2 and the target moving object 3 are not regulated in the longitudinal direction and the lateral direction by the lane structure Ls.
  • the driving policy between the host vehicle 2 and the target moving object 3 in the virtual environment 4004 is defined by the following (F) to (H), for example.
  • the safety model of virtual environment 4004 defines a collision between a trajectory of the host vehicle 2 and a trajectory of the target moving object 3 as an unreasonable situation. That is, the safety model of the virtual environment 4004 is defined by modeling the SOTIF in which the unreasonable risk of trajectory collision for the host vehicle 2 and the target vehicle 3 is absent. The absence situation of the trajectory collision is ensured by satisfaction of at least one of the following first and second conditions. As illustrated in FIG. 25 , the first condition is that the minimum distance d min between the trajectory of the host vehicle 2 and the trajectory of the target moving object 3 is larger than a safety design value, which is set based on, for example, an accident responsibility rule or the like.
  • each travel distance until the host vehicle 2 and the target moving object 3 stop is always equal to or greater than a certain value.
  • the second condition is that an angle ⁇ stop formed by a relative position vector when the host vehicle 2 is stopped and the traveling direction of the target moving object 3 is smaller than a safety design value, which is set based on, for example, an accident responsibility rule or the like.
  • the distance until the host vehicle 2 stops on the track is always equal to or greater than a certain distance, and the target moving object 3 is present in front of the stopped host vehicle 2 .
  • the safety model of the virtual environment 4004 sets a safety envelope that does not lead to an unreasonable situation, such as trajectory collision.
  • the safety envelope is secured by establishment of any one of the following first to third safety states.
  • a first safety state is a state in which collision between the trajectories does not occur in reachable ranges of the host vehicle 2 and the target moving object 3 before the host vehicle 2 and the target moving object 3 stop together.
  • a second safety state is a state in which, when the host vehicle 2 performs a stop operation such as braking, for example, and the target moving object 3 moves forward without braking, a collision between the trajectories does not occur in reachable ranges (solid line ranges in FIG.
  • a third safe state is a state in which, when the target moving object 3 executes the stop operation and the host vehicle 2 moves forward without brake or stop, a collision between the trajectories does not occur in the reachable ranges of the host vehicle and the target moving object (the solid line ranges in FIG.
  • the safety model of the virtual environment 4004 assumes the following first to third actions as proper rational actions to be taken by the host vehicle 2 even when an unreasonable situation occurs.
  • a first action in a case where both the host vehicle 2 and the target moving object 3 fall into an unreasonable situation from a state of being completely stopped, when the target moving object 3 is not located in front of the host vehicle 2 , the host vehicle 2 may move and separate from the target moving object 3 . At this time, it is desirable that the host vehicle 2 moves forward at a higher speed than the target moving object 3 .
  • the host vehicle 2 may continue the completely stopped state until the unreasonable situation is absent.
  • the host vehicle 2 may continue to move forward unless the target moving object 3 is not in stop state.
  • the host vehicle 2 may further continue to move forward if the target moving object 3 is not located in front of the host vehicle.
  • the host vehicle 2 may execute stop operation.
  • the host vehicle 2 executes the stop operation in a case other than the first and second actions. Whether or not the target moving object 3 is located in front of the host vehicle 2 in the first and second actions may be determined based on the second condition described above.
  • S 4100 and S 4102 are executed instead of S 100 and S 102 .
  • the abnormality monitored by the sensing block 100 in S 4100 includes recognition abnormality of information related to a type of the target moving object 3 included in the detection information.
  • Examples of the recognition abnormality may include an abnormality in which the sensing block 100 fails to generate normal recognition information due to at least one of an abnormality of a camera that is excellent in detection of type of the target moving object 3 in the sensor system 5 , a disturbance including weather influence, a detection limit including a blind spot of the camera, and the like.
  • S 4100 of the fourth embodiment may be specifically executed when a recognition abnormality, which is also referred to as sensing abnormality, occurs in S 101 of the first and second embodiments.
  • the processing method proceeds to S 101 and S 4102 in parallel, and then proceeds to S 103 .
  • the risk supervising block 140 sets the constraint/restriction to be applied to the driving control planned in S 101 based on the safety model of the virtual environment 4004 instead of the safety model of the lane structure Ls.
  • the constraint/restriction setting at the occurrence time of abnormality due to recognition abnormality can further degrade the constraint/restriction on the driving control compared with the normal time safety function.
  • the execution timing of S 101 and S 4102 may be adjusted according to the execution time of S 101 and S 102 .
  • the risk supervising block 140 sets a constraint/restriction on the driving control of the host vehicle 2 based on the safety model of the virtual environment 4004 between the host vehicle 2 and the target moving object 3 assumed to be located at the virtual position of distant point Pf as similar as in S 111 .
  • the constraint/restriction is set in the longitudinal direction or the lateral direction of the host vehicle 2 according to the detection range As of the abnormality occurrence target even in the case of the virtual environment 4004 .
  • the target moving object 3 may be assumed to be a specific object among vulnerable road users according to the scene, such as a pedestrian having a high risk that the host vehicle 2 is responsible for an accident.
  • the safety distance of the assumed specific object may be estimated.
  • the target moving object 3 may be assumed to be an unidentified object (unknown) as illustrated in FIG. 32 .
  • a long safety distance in the traveling direction of the assumed unidentified object may be estimated.
  • the limit value assumed as the constraint/restriction in the case of the longitudinal direction may be calculated as a function value related to acceleration/deceleration profile defined based on the safety model as illustrated in FIG. 33 and FIG. 34 . That is, in the case of the longitudinal direction, the limit value of the acceleration corresponds to the constraint/restriction.
  • c max,ac is the maximum acceleration in the forward movement of the host vehicle 2 .
  • c max,br is the maximum deceleration in the forward movement of the host vehicle 2 .
  • e max,ac is the maximum acceleration in the stop motion of the host vehicle 2 .
  • e max,br is the maximum deceleration in the stop motion of the host vehicle 2 .
  • e min,br is the minimum deceleration in the stop motion of the host vehicle 2 .
  • is the response time of the host vehicle 2 .
  • the limit value assumed as the constraint/restriction in the lateral direction is calculated as at least one of the function values of the yaw rate profile or the curvature change rate profile defined based on the safety model as illustrated in FIG. 35 and FIG. 36 . That is, in the case of the lateral direction, at least one of the limit values of the yaw rate or the trajectory curvature change rate is constrained/restricted.
  • f max corresponds to the maximum value of the yaw rate applied to the host vehicle 2 .
  • g max is the maximum value of the temporal change rate in the trajectory in which the curvature of the host vehicle 2 changes.
  • is the response time of the host vehicle 2 .
  • the risk supervising block 140 sets a constraint/restriction on the driving control of the host vehicle 2 , similar to S 4111 , based on the safety model of the virtual environment 4004 between the host vehicle 2 and the target moving object 3 assumed to be located at the estimated position Pp as the virtual position similar as in S 112 .
  • violation of the safety envelope may be determined similar to S 111 .
  • a fifth embodiment is a modification of the fourth embodiment.
  • S 5100 is executed instead of S 100 described above.
  • the abnormality monitored by the sensing block 100 in S 5100 includes a localization abnormality of the position information of the host vehicle 2 included in the detection information.
  • Examples of the localization abnormality include an abnormality in which the sensing block 100 fails to generate normal localization information due to at least one of a failure of map information in the map DB 7 , a transmission failure including a transmission delay of map information by the V2X communication executed by the communication system 6 , a reception failure of a positioning signal by the positioning purpose communication executed by the communication system 6 , and a sensing abnormality related to a self-state quantity of the sensor system 5 .
  • S 5100 of the fifth embodiment may be specifically executed in a case where localization abnormality due to sensing abnormality occurs in S 101 of the first and second embodiments.
  • the processing method proceeds to S 101 and S 4102 in parallel, and then proceeds to S 103 .
  • the safety model of the virtual environment 4004 used for the constraint/restriction setting is assumed for the target moving object 3 of the type recognized or estimated from the detection information before the occurrence of abnormality.
  • a sixth embodiment is a modification of the first embodiment.
  • a control block 6160 the acquisition processing of determination information regarding the safety envelope from the risk supervising block 140 is omitted.
  • the planning block 6120 according to the sixth embodiment acquires determination information on the safety envelope from the risk supervising block 140 .
  • the planning block 6120 plans the driving control of the host vehicle 2 similar to the planning block 120 when the determination information that the safety envelope is not violated is acquired.
  • the planning block 6120 imposes a constraint/restriction on the driving control based on the determination information at the stage of planning the driving control similar to the planning block 120 . That is, the planning block 6120 imposes a constraint/restriction on the planned driving control.
  • the control block 6160 performs the driving control of the host vehicle 2 planned by the planning block 6120 .
  • the processing method of the sixth embodiment does not execute S 101 , and executes S 6103 and S 6104 sequentially instead of S 103 .
  • the planning block 6120 applies the constraint/restriction, which is set by the risk supervising block 140 in S 111 or S 112 of the constraint/restriction setting subroutine S 102 , to the driving control to be planned. That is, it can be said that the planning block 6120 plans, in S 6103 , the degradation of driving control.
  • the control block 6160 executes the driving control to which the constraint/restriction is applied in S 6103 .
  • a seventh embodiment is a modification of the first embodiment.
  • the acquisition processing of determination information regarding the safety envelope from the risk supervising block 7140 is omitted. Therefore, the risk supervising block 7140 of the seventh embodiment acquires information representing the result of the driving control executed by the control block 7160 for the host vehicle 2 .
  • the risk supervising block 7140 evaluates the driving control by performing, based on the safety envelope, safety determination on the results of the driving control.
  • the processing method of the seventh embodiment does not execute S 102 , and executes S 7103 , S 7104 , and S 7105 sequentially instead of S 103 .
  • the control block 7160 executes the driving control planned in S 101 .
  • the risk supervising block 7140 sets the constraint/restriction on the driving control set in S 7103 by executing a constraint/restriction subroutine similar to S 102 .
  • the risk supervising block 7140 evaluates the driving control set in 7103 based on the upper limit speed v r,max in the longitudinal direction or the upper limit speed v 1,max in the lateral direction, which are set as constraints. At this time, when the host vehicle 2 exceeds the upper limit speed v r,max or exceeds the upper limit speed v 1,max , it is determined that there is a violation of the safety envelope as an evaluation of the driving control.
  • the process in S 7104 and S 7105 may be executed each time one control cycle of the information indicating the result of the driving control in S 7103 is stored in the memory 10 .
  • S 7104 may be executed each time one control cycle information indicating the result of the driving control in S 7103 is stored in the memory 10 .
  • S 7105 may be executed after multiple control cycle information indicating the results of driving control in S 7103 are stored in the memory 10 .
  • the process in S 7104 and S 7105 may be executed after multiple control cycle information indicating the results of the driving control in S 7103 are stored in the memory 10 .
  • An eighth embodiment is a modification of the first and seventh embodiments.
  • a test block 8180 that tests the driving control executed by the processing system 1 is added, for example, for safety approval purpose or the like.
  • the test block 8180 is provided with functionality similar to the sensing block 100 and the risk supervising block 140 .
  • the test block 8180 may be implemented by the processing system 1 shown in FIG. 42 executing a test program that is added to the processing program functioning as the blocks 100 , 120 , 140 , 160 .
  • the test block 8180 may be implemented by a test processing system 8001 as shown in FIG.
  • test processing system 8001 may execute a test program that is different from the processing program functions as the blocks 100 , 120 , 140 , 160 .
  • the test processing system 8001 may be a dedicated computer that has at least one memory 10 and processor 12 and is connected to the processing system 1 to test the driving control (a connection example through the communication system 6 is not shown).
  • the process does not execute S 101 and S 7103 , and executes S 8100 , S 8104 , and S 8105 , which correspond to S 100 , S 7104 , and S 7105 , respectively.
  • the test block 8180 monitors and determines abnormality in the detection information similar to S 100 .
  • illustration of data acquisition path for monitoring and determining abnormality in detection information is omitted.
  • the test block 8180 sets a constraint/restriction on the driving control set in S 103 by the processing system 1 using the constraint/restriction subroutine similar to S 102 or S 7104 .
  • the test block 8180 tests the driving control set in S 103 by the processing system 1 similar to test executed in S 7105 . At this time, when the host vehicle 2 exceeds the upper limit speed v r,max or exceeds the upper limit speed v 1,max , it is determined that there is a violation of the safety envelope as a test result of the driving control.
  • the process in S 8104 and S 8105 may be executed each time one control cycle of the information indicating the result of the driving control in S 103 is stored in the memory 10 of the processing system 1 or the test processing system 8001 .
  • S 8104 may be executed each time one control cycle information indicating the result of the driving control in S 103 is stored in the memory 10 of the processing system 1 or the test processing system 8001 .
  • S 8105 may be executed after multiple control cycle information indicating the results of driving control in S 103 are stored in the memory 10 of the processing system 1 or the test processing system 8001 .
  • the process in S 8104 and S 8105 may be executed after multiple control cycles of the information indicating the results of the driving control in S 103 are stored in the memory 10 of the processing system 1 or the test processing system 8001 .
  • a ninth embodiment is a modification of the sixth embodiment.
  • the planning block 9120 incorporates the function of the risk supervising block 140 as a risk supervising sub-block 9140 .
  • the planning block 9120 according to the ninth embodiment plans the driving control of the host vehicle 2 similar the planning block 120 when the determination information indicating that the safety envelope is not violated is acquired by the risk supervising sub-block 9140 .
  • the planning block 9120 imposes a constraint/restriction on the driving control based on the determination information at the stage of planning the driving control similar to the planning block 120 . That is, the planning block 9120 imposes a constraint/restriction on the planned driving control.
  • the control block 6160 performs the driving control of the host vehicle 2 planned by the planning block 9120 .
  • the risk supervising sub-block 9140 included in the planning block 9120 executes S 102 .
  • the planning block 9120 applies the constraint/restriction, which is set by the risk supervising sub-block 9140 in S 111 or S 112 of the constraint/restriction setting subroutine S 102 , to the driving control to be planned.
  • the ninth embodiment it is possible to secure the accuracy of driving control by applying a proper constraint/restriction to the driving control based on the principle equivalent to the first embodiment.
  • the dedicated computer of the processing system 1 of the modification example may include at least one of a digital circuit and an analog circuit as a processor.
  • the digital circuit is at least one type of, for example, an ASIC (Application Specific Integrated Circuit), a FPGA (Field Programmable Gate Array), an SOC (System on a Chip), a PGA (Programmable Gate Array), a CPLD (Complex Programmable Logic Device), and the like.
  • Such a digital circuit may include a memory in which a program is stored.
  • the detection limit distance of the first longitudinal sensor 2501 from the host vehicle 2 may be set to be longer than a detection limit distance of the first lateral sensor 501 within a detection angle partially overlapping with the detection range As of the first lateral sensor 501 .
  • the gradual change of the constraint/restriction may be assumed from the distant point Pf or the estimated position Pp of the detection limit distance in the detection range As of the first longitudinal sensor 2501 to the distant point Pf of the detection limit distance in the detection range As of the first lateral sensor 501 .
  • each distant point Pf in this case may be defined as a point located at a detection limit distance, which is the farthest distance within a detection angle at which the detection ranges As overlap with one another, from the host vehicle.
  • the first lateral sensor 501 corresponds to a “first sensor”
  • the first longitudinal sensor 2501 corresponds to a “second sensor”.
  • the second to fifth embodiments may be modified according to any one of the sixth, seventh, eighth, or ninth embodiments.
  • the processing methods according to at least two of the third to fifth embodiments may be executed in parallel as a modification.
  • the present disclosure may be implemented in forms of a device mountable on a host moving object and including at least one processor 12 and at least one memory 10 , a processing circuit (for example, a processing ECU, etc.) or a semiconductor device (eg, semiconductor chip, etc).
  • a processing circuit for example, a processing ECU, etc.
  • a semiconductor device eg, semiconductor chip, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Automation & Control Theory (AREA)
  • Transportation (AREA)
  • Mechanical Engineering (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • General Physics & Mathematics (AREA)
  • Traffic Control Systems (AREA)
  • Control Of Driving Devices And Active Controlling Of Vehicle (AREA)
  • Safety Devices In Control Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Numerical Control (AREA)
US18/353,778 2021-01-22 2023-07-17 Processing method, processing system, and processing device Pending US20230356714A1 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2021-009033 2021-01-22
JP2021009033 2021-01-22
PCT/JP2021/048802 WO2022158272A1 (ja) 2021-01-22 2021-12-28 処理方法、処理システム、処理プログラム、処理装置

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/048802 Continuation WO2022158272A1 (ja) 2021-01-22 2021-12-28 処理方法、処理システム、処理プログラム、処理装置

Publications (1)

Publication Number Publication Date
US20230356714A1 true US20230356714A1 (en) 2023-11-09

Family

ID=82549426

Family Applications (1)

Application Number Title Priority Date Filing Date
US18/353,778 Pending US20230356714A1 (en) 2021-01-22 2023-07-17 Processing method, processing system, and processing device

Country Status (5)

Country Link
US (1) US20230356714A1 (enExample)
JP (1) JP7428272B2 (enExample)
CN (1) CN116783106A (enExample)
DE (1) DE112021006871T5 (enExample)
WO (1) WO2022158272A1 (enExample)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20240199039A1 (en) * 2022-12-14 2024-06-20 Hyundai Motor Company Apparatus for controlling autonomous driving and method thereof
US20240286626A1 (en) * 2023-02-23 2024-08-29 Waymo Llc Methods and Systems for Automatic Introspective Perception
US12415506B2 (en) * 2022-10-28 2025-09-16 Hyundai Motor Company Method and system for preventing or mitigating rear-end collisions of a motor vehicle and potential multiple vehicle collisions

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009274594A (ja) * 2008-05-15 2009-11-26 Hitachi Ltd 車線変更支援装置
JP5573617B2 (ja) * 2010-11-12 2014-08-20 トヨタ自動車株式会社 危険度算出装置
EP4220603A1 (en) 2016-12-23 2023-08-02 Mobileye Vision Technologies Ltd. Navigational system with imposed constraints
CN110657820A (zh) * 2017-01-12 2020-01-07 御眼视觉技术有限公司 基于车辆活动的导航
JP6822309B2 (ja) * 2017-05-16 2021-01-27 株式会社デンソー 自動運転支援装置および自動運転支援方法
JP2019069659A (ja) * 2017-10-06 2019-05-09 トヨタ自動車株式会社 運転支援装置

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12415506B2 (en) * 2022-10-28 2025-09-16 Hyundai Motor Company Method and system for preventing or mitigating rear-end collisions of a motor vehicle and potential multiple vehicle collisions
US20240199039A1 (en) * 2022-12-14 2024-06-20 Hyundai Motor Company Apparatus for controlling autonomous driving and method thereof
US20240286626A1 (en) * 2023-02-23 2024-08-29 Waymo Llc Methods and Systems for Automatic Introspective Perception

Also Published As

Publication number Publication date
CN116783106A (zh) 2023-09-19
JPWO2022158272A1 (enExample) 2022-07-28
JP7428272B2 (ja) 2024-02-06
DE112021006871T5 (de) 2023-11-30
WO2022158272A1 (ja) 2022-07-28

Similar Documents

Publication Publication Date Title
US20230356714A1 (en) Processing method, processing system, and processing device
US20230391333A1 (en) Processing method, processing system, and storage medium
US20240036575A1 (en) Processing device, processing method, processing system, storage medium
US20240034365A1 (en) Processing method, processing system, storage medium storing processing program, and processing device
US12454288B2 (en) Processing method, processing system, and storage medium storing processing program
JP7732594B2 (ja) 処理システム及び情報提示装置
US12325449B1 (en) Safe vehicle operation using log data
US20240367648A1 (en) Movement control system, movement control method, movement control device, and information processing device
JP7750336B2 (ja) 処理装置及び処理プログラム
WO2023145490A1 (ja) 運転システムの設計方法及び運転システム
WO2023145491A1 (ja) 運転システムの評価方法及び記憶媒体
JP7586294B2 (ja) 処理方法、処理システム、処理プログラム
JP7586295B2 (ja) 処理方法、処理システム、処理プログラム
JP7790559B2 (ja) 処理方法、運転システム、処理装置、処理プログラム
US20240083419A1 (en) Processing method, processing system and storage medium for storing processing program
US20240336271A1 (en) Method, processing system, and recording device
US20250022374A1 (en) Processing method, driving system, processing device, and program product thereof
US20250346180A1 (en) Driving assistance system, driving assistance method, and driving assistance program
US20250346233A1 (en) Driving assistance system, driving assistance method, and driving assistance program
JP2025186450A (ja) 車両及びコンピュータ

Legal Events

Date Code Title Description
AS Assignment

Owner name: DENSO CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BABA, ATSUSHI;TOHDO, TETSUYA;SIGNING DATES FROM 20230703 TO 20230704;REEL/FRAME:064315/0573

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION COUNTED, NOT YET MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER